Skip to main content

Security readiness, stated plainly.

TvRMM is building a SOC 2-aligned security readiness program so customers can see how we protect the hosted service today, what we are tightening now, and what evidence we plan to publish as it is approved.

TvRMM is not currently SOC 2 audited. This page is self-attested and provided for transparency; it is not a SOC 2 report, certification, or independent assurance opinion.

Where we are today.

Last updated: 2026-07-01. This is the customer-facing status of the readiness program, not an auditor-issued conclusion.

What is already in place

TvRMM already publishes its security model, responsible disclosure path, subprocessor list, DPA, retention policy, and customer-facing support boundaries. The initial SOC 2-aligned governance baseline was approved on 2026-07-01, covering system scope, policy set, control mapping, readiness mapping, and control ownership.

What we are collecting now

Operating evidence collection remains in progress. The next milestones are access-review evidence, CI and change-management evidence, backup and restore-test evidence, critical-vendor review evidence, tenant-isolation evidence, and incident-response exercise evidence.

What customers should expect next

As redacted evidence summaries are reviewed and approved for publication, this page will grow into a public trust center with clearer control status and a documented path toward third-party readiness review.

What this program is meant to prove.

Our readiness work is focused first on Security, Availability, and Confidentiality. The controls below summarize the commitments we are organizing, operating, and evidencing for customer review.

Control areaPublic summary
Access controlProduction and customer data access are intended to use named accounts, least privilege, MFA where supported, and periodic review.
Change managementProduct changes are tracked in Git. The app repo uses CI validation, and hosted deployments are explicit operator actions.
Tenant isolationThe hosted app is designed around tenant and organization scoping, role-gated actions, and customer-approved support access.
Agent identityAgents enroll into a customer context and use identity material to communicate with the service.
Endpoint actionsScripts, terminal, patching, reboot, updates, cleanup, and remote access are treated as high-risk actions requiring authorization and auditability.
Secrets managementOperational secrets are intended to be stored outside source code and loaded into runtime/deploy workflows from approved secret stores.
Vulnerability managementSecurity findings from scans, tests, reviews, and reports are tracked to remediation or documented risk acceptance.
Incident responseTvRMM maintains an incident-response process for triage, containment, remediation, customer-impact review, and follow-up.
Backup and recoveryProduction backup automation exists, and restore-test evidence is part of the readiness roadmap.
Vendor managementProviders that process customer data or support production are inventoried and reviewed.
Data handlingRetention, export, deletion, and support-access expectations are tracked against public legal/security commitments.

What customers should be able to rely on.

RMM software has unusual authority over endpoints. Our security program therefore covers both normal SaaS controls and the endpoint-management safeguards customers need to inspect before trusting the service.

Security practices we track

  • authenticated portal sessions
  • role-scoped access
  • tenant and organization boundaries
  • customer-approved support access
  • certificate-backed or credential-backed agent identity paths where supported
  • encrypted portal and agent traffic
  • security-sensitive action logging
  • explicit endpoint deletion, revocation, and cleanup paths
  • source-controlled changes
  • CI validation
  • operational secrets stored outside source code
  • production backups and restore-test evidence as the program matures
  • vendor/subprocessor review

RMM safeguards we track

  • agent enrollment and identity
  • tenant isolation
  • endpoint action authorization
  • script, terminal, patch, reboot, update, and remote-access auditability
  • support-grant and break-glass handling
  • sensitive output handling and redaction
  • agent revocation and endpoint retirement
  • customer export and deletion expectations

Program work in motion

  • Governance baseline: Initial system scope, policy set, control matrix, SOC 2 readiness mapping, and control ownership were approved on 2026-07-01.
  • Evidence boundary: The approved baseline is governance design evidence. It is not operating-effectiveness evidence, a SOC 2 report, certification, or independent assurance opinion.
  • Public security page: The product security model is live on the public website and tied to this readiness program.
  • Public evidence index: The first public evidence summary is approved for publication: the initial governance baseline approval.
  • Access reviews: The access-review process is prepared; the next milestone is completing the first formal review and retaining evidence.
  • Vendor reviews: The vendor-review process is prepared; the next milestone is completing review evidence for critical providers.
  • Backup evidence: Production backup automation has been identified; restore-test evidence is needed before stronger public recovery claims are appropriate.
  • Incident response: The incident-response policy and template exist; a tabletop exercise is the next evidence milestone.
  • App evidence automation: Product requirements have been identified so more control evidence can be captured consistently from the app over time.

If you find a security issue.

TvRMM welcomes good-faith security reports. We ask researchers to report safely, avoid customer data, and stay inside the published research boundaries.

Helpful report details

  • a clear description
  • affected URL, endpoint, agent behavior, or component
  • steps to reproduce
  • expected impact
  • safe proof of concept
  • contact information for follow-up

Research boundaries

  • use accounts, tenants, endpoints, and data you own or are authorized to test
  • avoid privacy violations or data exfiltration
  • avoid denial of service, spam, phishing, social engineering, malware, persistence, or destructive changes
  • stop and report promptly if you encounter customer data or service-impacting behavior

Coordinated disclosure

TvRMM asks researchers to allow a reasonable remediation period before public disclosure. A typical target is 90 days from acknowledgement, adjusted for severity and remediation complexity.

Backup and recovery stance.

TvRMM maintains backup and recovery procedures for the hosted service. We are intentionally careful about this wording until restore tests and recovery targets are documented enough to support stronger public claims.

AreaStatus
Production backup automationAutomation is in place for the hosted service and is being folded into readiness evidence.
Backup monitoring evidenceMonitoring evidence is being collected and reviewed.
Restore-test evidenceRestore-test evidence is the next milestone before stronger recovery claims are appropriate.
RTO/RPO targetsTargets will be published only after they are defined, tested, and supportable.

Customer responsibility

TvRMM backups protect the hosted service. Customers remain responsible for endpoint backups, local administrator access, business continuity plans, and recovery procedures for systems they manage with TvRMM.

Current claim boundary

Until restore tests are documented, public wording should say that backup and recovery procedures are being maintained and tested as part of the readiness program. It should not imply independently audited resilience or guaranteed recovery objectives.

How this will mature

As restore tests, monitoring evidence, and recovery targets are documented, this section should become more specific. Until then, the honest statement is that recovery procedures exist and are being tested as part of the readiness program.

Providers that support the service.

TvRMM uses providers to host, secure, bill, monitor, deliver, and operate the service. The legal subprocessor page remains the policy source; this summary explains the same provider landscape in the context of security readiness.

ProviderPurposeData involved
OVHCloud / OVH Proxmox and shared edge infrastructureHosted portal, agent check-in services, compute, storage, database, networking, package/installer hosting, monitoring, static website/help site, and public edge delivery.Customer tenant data, endpoint data, operational records, logs, billing metadata, service telemetry, website request metadata, and release/download metadata.
StripeCheckout, payment processing, customer portal, invoices, refunds, payment status, and billing webhooks.Billing metadata, payment status, customer identifiers, invoice and refund records. Stripe handles payment method details directly.
CloudflareDNS, domain security, edge routing, and email/contact routing where used.DNS/routing metadata, security logs, and contact-routing metadata where applicable.
GitHubSource control, issue/PR workflow, release automation, and CI/CD operations.Source code, deployment metadata, operational artifacts, and issue/support context when intentionally added.
vanRoojen LLC operated analyticsPrivacy-conscious product-site analytics.Page views, referrers, device/browser metadata, and approximate analytics data.

What we plan to do next.

This roadmap shows the path from current self-attested readiness work toward a more evidence-backed trust center and, later, a possible third-party readiness review or formal SOC 2 audit path.

Phase 1: Program Foundation

  • Approved initial system scope
  • Approved security, access, change, incident, vulnerability, backup, vendor, and retention policies
  • Approved the initial control matrix and SOC 2 readiness mapping
  • Created evidence templates
  • Started the risk register
  • Published the first public evidence-index entry for governance baseline approval

Phase 2: Evidence Collection

  • Keep public evidence summaries current as redacted evidence is approved
  • Capture access-review evidence
  • Capture CI and change-management evidence
  • Capture backup job evidence
  • Run and document a restore test
  • Review critical vendors
  • Collect security testing and tenant-isolation evidence

Phase 3: RMM-Specific Control Hardening

  • Strengthen endpoint action decision/audit evidence
  • Prove tenant isolation with DB-backed tests
  • Track support grants and break-glass access with tenant-visible records
  • Confirm agent enrollment, revocation, deletion, and cleanup evidence
  • Confirm sensitive script/command output redaction

Phase 4: Public Trust Center

  • Publish a self-attested security overview
  • Publish vulnerability disclosure guidance
  • Publish a public control summary
  • Publish backup/recovery and subprocessor summaries
  • Keep all public claims matched to current implementation and evidence
Future audit path
third-party readiness assessment
SOC 2 Type 1
SOC 2 Type 2 after an observation period

Public evidence index.

Redacted evidence summaries will appear here only after they are reviewed and approved for public release. We will not publish raw logs, customer names, secret values, non-public operations details, or unredacted screenshots.

Evidence IDControl areaPublic statusSummary locationLast reviewed
EVID-2026-07-01-003Governance baselinePublishedInitial SOC 2-aligned system scope, policy set, control matrix, readiness mapping, and control-owner model approved on 2026-07-01. This is governance design evidence, not operating-effectiveness evidence or independent audit evidence.2026-07-01

Draft

Wording exists, but it has not been approved for customer use.

Approved for controlled sharing

Reviewed for selected customer or reviewer conversations, but not posted publicly.

Approved for publication

Reviewed for the public website and ready to publish.

Published

Live on the public website.

Withdrawn

Removed because it is outdated, incomplete, or no longer safe to share.

How to read this page.

We want this page to be useful for customer due diligence without overstating where the program is today.

No audit claim

TvRMM is not currently SOC 2 audited. Nothing on this page should be read as a SOC 2 report, certification, or independent assurance opinion.

Self-attested transparency

This page is TvRMM explaining its own current security readiness work in public, using only material approved for public sharing.

Evidence over slogans

The goal is to keep public claims matched to implementation and evidence, then publish redacted support where it is safe and useful for customers.